Stonefly

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Stonefly, also known as Andariel or Silent Chollima, is a threat actor group believed to be linked with the North Korean government. Active since at least 2015, Stonefly has been involved in numerous attacks, including several attributed to the North Korean state-sponsored operation Lazarus. The group gained notoriety for its ransomware campaigns, notably the Maui ransomware attacks targeting Healthcare and Public Health (HPH) sector organizations from May 2021 onwards. Researchers have identified the use of various malware families by Stonefly, including DTRack and MagicRat, exploiting vulnerabilities such as Log4j. The EarlyRat trojan, a new form of malware, was attributed to Stonefly by researchers at Kaspersky. This discovery was made during an unrelated investigation, leading to a deeper exploration into the group's activities. Stonefly, believed to be a subgroup within the Lazarus team, has consistently demonstrated innovative tactics in its operations, which include the exploitation of the Log4j vulnerability using multiple malware families. In response to the threat posed by groups like Stonefly, StoneFly Inc., a leading provider of storage, hyperconverged, backup and disaster recovery, and cloud solutions, offers a comprehensive Ransomware Protection Suite. This suite integrates robust data protection features, including Immutable S3 ObjectLock and Immutable Snapshots, which safeguard data against ransomware encryption and unauthorized access. Additionally, Multi-Factor Authentication (MFA) enhances security by adding an extra verification layer to protect system access.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Andariel
3
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Silent Chollima
2
Silent Chollima, a North Korea-nexus threat actor, is known for its malicious cyber activities. The group, which is part of the 3rd Bureau of the Foreign Intelligence and Reconnaissance General Bureau, North Korea's foreign intelligence agency, has been associated with other groups such as Lazarus,
Dtrack
1
DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz
Lazarus Team
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Ransomware
Trojan
Malware
State Sponso...
Vulnerability
Encryption
Reconnaissance
Phishing
Exploit
Log4j
Lateral Move...
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EarlyratUnspecified
1
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
MagicratUnspecified
1
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
Source Document References
Information about the Stonefly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
7 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware – GIXtools
CERT-EU
10 months ago
Complete Ransomware Protection Suite for Veeam, Commvault, Rubrik, and Veritas -September 22, 2023 at 01:31 pm EDT | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
Hackers use public ManageEngine exploit to breach internet org
Securityaffairs
a year ago
North Korean Andariel APT used a new malware named EarlyRat
CERT-EU
a year ago
North Korea-linked Andariel APT used a new malware named EarlyRat last year | IT Security News
CERT-EU
a year ago
Log4j bug exploited to push novel EarlyRat malware
CERT-EU
a year ago
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware
Malwarebytes
a year ago
CISA issues alert with South Korean government about DPRK's ransomware antics
CERT-EU
a year ago
Attacks by Lazarus sub-group involve novel EarlyRAT malware